Security researchers have unveiled a new instance of repojacking that affects millions of GitHub repositories.
According to an advisory published last week by Aqua Security Software, the discovered repojacking attack allows threat actors to execute code within organizations’ internal environments or their customers’ environments.
The company identified numerous high-profile targets, including organizations such as Google and Lyft, which were promptly notified and mitigated the risks.
In the technical write-up, the security firm explained that repojacking here occurs when an attacker takes advantage of the renaming feature on GitHub, which creates a link between old and new repository names.
Attackers can then exploit this vulnerability by acquiring the old repository names and redirecting users to their repositories, leading to code execution.
“With motivation and some creative digital archaeology, anyone can dig up some past links to valuable repos that aren’t ancient but actively being used in code running now,” commented Timothy Morris, chief security advisor at Tanium.
“These are supply chain vulnerabilities. It is imperative that security teams and risk managers understand where all their software and dependencies originate from.”
In their advisory, the Aqua team demonstrated different exploitation scenarios, including automated downloads, manual downloads and code execution via repository releases. It also includes real-life examples of vulnerable repositories.
To compile their research, the security firm utilized the GHTorrent project’s database, which records public events on GitHub, including commit and pull requests.
Analyzing a sample dataset, they identified over 36,000 vulnerable repositories out of 1.25 million samples. Extrapolating this data to the entire GitHub repository base, it is estimated that there are potentially millions of vulnerable repositories.
“This highlights the risk that transcends issues with GitHub. Any references to ‘old’ names that are retired can be used by others if all the references aren’t changed everywhere,” explained John Bambenek, principal threat hunter at Netenrich.
According to the executive, GitHub repositories pose a risk of remote execution or the installation of backdoors. It is important to note that this risk extends to other resources as well, including email addresses and domain names, which nation-state actors have already exploited.
“Secure de-provisioning is something we are not really considering as we move more to cloud resources and open source, and it will continue to bite us harder until we start dealing with it,” Bambenek concluded.
The Aqua advisory comes months after VulnCheck discovered a series of malicious GitHub repositories masquerading as legitimate security research projects.